Given the wide and rapid depolyment of "visitor networks", how to authenticate the user and account the usage on the per-packet basis securely and yet efficiently is still a challenging problem. In this paper, we explore the tradoff between performance and security, and propose a per-data-packet authentication and access control called RBWA (Random Bit Window based Authentication). Deployed in the IP layer, RBWA can work with various underlying link layer specific mechanisms and network topologies. And comparing to IPSec, it dramatically reduces the overhead and power consumption by adding only a few bits to each packet. Furthermore, RBWA is strong against a suite of attacks such as replay attack, Denial-of-Service attack and spoofing etc. In particular, a robust anti-replay window scheme is developed to counter the svere packet reordering. The performance of RBWA is evaluated via the simulation.